The personal information of what could be hundreds of thousands of Instacart customers is being sold on the dark web. This data includes names, the last four digits of credit card numbers, and order histories, and appears to have affected customers who used the grocery delivery service as recently as yesterday.
As of Wednesday, sellers in two dark web stores were offering information from what appeared to be 278,531 accounts, although some of those may be duplicates or not genuine. As of April, Instacart had "millions of customers across the US and Canada," according to a company spokesperson.
The company denied there had been a breach of its data.
"We are not aware of any data breach at this time. We take data protection and privacy very seriously," an Instacart spokesperson told BuzzFeed News. "Outside of the Instacart platform, attackers may target individuals using phishing or credential stuffing techniques. In instances where we believe a customer’s account may have been compromised through an external phishing scam outside of the Instacart platform or other action, we proactively communicate to our customers to auto-force them to update their password."
The source of the information, which also included email addresses and shopping data, was unknown, but appeared to have been uploaded from at least June until today.
“It’s looking recent and totally legit,” Nick Espinosa, the head of cybersecurity firm Security Fanatics, told BuzzFeed News after reviewing the accounts being sold.
Two women whose personal information was for sale confirmed they were Instacart customers, that their last order date and amount matched what appeared on the dark web, and that the credit card information belonged to them.
“If they’re aware that this happened and haven’t informed us, that’s problematic.”
“I don’t really know what to say. It’s hard to know what to say, not knowing if it’s a result of [Instacart's] negligence,” Hannah Chester told BuzzFeed News. “But if they’re aware that this happened and haven’t informed us, that’s problematic.”
After this story was published, Chester contacted Instacart customer support who told her the issue was likely with password reuse across other websites or apps. Chester said she does not reuse passwords for her logins.
The other woman, Mary M., who asked for her full name not to be used, told BuzzFeed News she would cancel her Instacart account and use a different service.
“I think that it’s very unfortunate that you were the one to tell me and not Instacart,” she said. “I feel like if you know about it, why in the world don’t they? Why haven’t they reached out?”
The account information was being sold for around $2 per customer. According to one of the websites where the information was being sold, the personal data of people using Instacart accounts had been added throughout June and July, with the most recent upload being July 22.
BuzzFeed News is not naming the sites where the information is being bought and sold.
In cases of identity theft, experts often recommend a series of steps, including changing passwords, using a password manager, and turning on two-factor authentication. People who notice or suspect suspicious financial activity should contact their bank and credit card company.
This story has been updated to include the number of people Instacart says use its service.